<div dir="ltr">Hello,<br>I've configured squid to filter both HTTP and HTTPS traffic and for the most part the squid server is working correctly, however, I am always unable to login with skype.  Skype does send all the requests through the suid server, but looking into the cache.log I always get a Error negotiating SSL connection on FD 12: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher.<br>If I run: openssl s_client -crlf -connect <a href="http://157.55.56.164:443">157.55.56.164:443</a> I get exactly the same error. However if I run: openssl s_client -crlf -connect <a href="http://157.55.56.164:443">157.55.56.164:443</a> -tls1_2 -ssl2 I am able to connect. <br>If I disable HTTPS, skype logins with no problems.<br>I've searched on the mailing list archive and found that other people have had the same issues but none have been able to fix them. Is this a known issue with squid? Any help would be greatly appreciated.<br><br>My openssl version is: OpenSSL 1.0.1s-freebsd  1 Mar 2016 and my squid version is: Squid Cache: Version 3.5.19 configured with: '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--with-openssl=/usr' 'LIBOPENSSL_CFLAGS=-I/usr/include' 'LIBOPENSSL_LIBS=-lcrypto -lssl' '--enable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--with-mit-krb5=/usr/local' 'CFLAGS=-I/usr/local/include -O2 -pipe  -I/usr/local/include -I/usr/local/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS=-L/usr/local/lib  -pthread -L/usr/local/lib -L/usr/local/lib  -Wl,-rpath,/usr/local/lib:/usr/lib -fstack-protector' 'LIBS=-lkrb5 -lgssapi_krb5 ' 'KRB5CONFIG=/usr/local/bin/krb5-config' '--enable-auth-basic=LDAP SASL DB SMB_LM MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=LDAP_group file_userip time_quota unix_group kerberos_ldap_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=aufs diskd ufs' '--enable-disk-io=DiskThreads DiskDaemon AIO Blocking IpcIo Mmapped' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.3' 'build_alias=amd64-portbld-freebsd10.3' 'CC=cc' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing ' 'CPP=cpp' --enable-ltdl-convenience<br>My current configuration is as follows:<br>http_port <a href="http://175.15.2.239:8080">175.15.2.239:8080</a> ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=100MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE<br><br>http_port <a href="http://127.0.0.1:8080">127.0.0.1:8080</a> intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=100MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE<br><br>https_port <a href="http://127.0.0.1:3129">127.0.0.1:3129</a> intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=100MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE<br><br>icp_port 0<br>dns_v4_first on<br>pid_filename /var/run/squid/squid.pid<br>cache_effective_user squid<br>cache_effective_group proxy<br>error_default_language en<br>icon_directory /usr/local/etc/squid/icons<br>visible_hostname hidden<br>cache_mgr admin@localhost<br>access_log /var/squid/logs/access.log<br>cache_log /var/squid/logs/cache.log<br>cache_store_log none<br>netdb_filename /var/squid/logs/netdb.state<br>pinger_enable off<br>pinger_program /usr/local/libexec/squid/pinger<br>sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048<br>sslcrtd_children 50<br>sslproxy_capath /usr/local/share/certs/<br>sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE<br>sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS<br>sslproxy_cert_error allow all<br><br>#SKYPE according to: <a href="http://wiki.squid-cache.org/ConfigExamples/Chat/Skype">http://wiki.squid-cache.org/ConfigExamples/Chat/Skype</a><br>acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9a-f]+)?:([0-9a-f:]+)?:([0-9a-f]+|0-9\.]+)?\])):443<br>acl Skype_UA browser ^skype<br>http_access allow CONNECT localnet numeric_IPS Skype_UA<br>#END SKYPE<br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><br></div></div>
</div>